From 1dfcd396fc520f5f5ae15e16cb8a82546b0e7eb1 Mon Sep 17 00:00:00 2001
From: Travis Groth <travisgroth@users.noreply.github.com>
Date: Fri, 20 Dec 2019 06:20:39 -0500
Subject: [PATCH] config: Validate that `shared_key` does not contain
 whitespace

---
 config/options.go      | 4 ++++
 config/options_test.go | 1 +
 docs/docs/CHANGELOG.md | 1 +
 3 files changed, 6 insertions(+)

diff --git a/config/options.go b/config/options.go
index f342d4ede..3aaf1ad26 100644
--- a/config/options.go
+++ b/config/options.go
@@ -414,6 +414,10 @@ func (o *Options) Validate() error {
 		return errors.New("config: shared-key cannot be empty")
 	}
 
+	if o.SharedKey != strings.TrimSpace(o.SharedKey) {
+		return errors.New("config: shared-key contains whitespace")
+	}
+
 	if o.AuthenticateURLString != "" {
 		u, err := urlutil.ParseAndValidateURL(o.AuthenticateURLString)
 		if err != nil {
diff --git a/config/options_test.go b/config/options_test.go
index 1eb3a87ac..94974baa8 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -279,6 +279,7 @@ func Test_NewOptionsFromConfigEnvVar(t *testing.T) {
 		{"bad cert key base64", map[string]string{"CERTIFICATE_KEY": "bad cert", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, true},
 		{"bad no certs no insecure mode set", map[string]string{"SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, true},
 		{"good disable headers ", map[string]string{"HEADERS": "disable:true", "INSECURE_SERVER": "true", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, false},
+		{"bad whitespace in secret", map[string]string{"INSECURE_SERVER": "true", "SERVICES": "authenticate", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM=\n"}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 1893cba3a..98f25eb27 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -9,6 +9,7 @@
 - Added yaml tags to all options struct fields
   - [GH-394](https://github.com/pomerium/pomerium/pull/394)
   - [GH-397](https://github.com/pomerium/pomerium/pull/397)
+- Improved config validation for `shared_secret` [GH-427](https://github.com/pomerium/pomerium/pull/427)
 
 ### Fixed